U.S. patent application Ser. No. 10/624,344 to Bardsley et al. (hereinafter “the '344 application”) describes a means for instrumenting threat management information so as to permit automation of the application of threat countermeasures to arbitrary program instances at target systems. The '344 application further describes a method for assimilating free-form security vulnerability and countermeasure information into a construction known as a Threat Management Vector (TMV) for the purpose of conveying precise and actionable threat management information to a network of computer systems.
U.S. patent application Ser. No. 10/624,158 to Bardsley et al. (hereinafter “the '158 application”) describes a method and apparatus for the automated application of threat countermeasures at target systems using a specific transmutation of the TMV described in the '344 application.
U.S. patent application Ser. No. 10/791,560 to Bardsley et al. (hereinafter “the '560 application”) describes a Threat Management Domain Controller (TMDC) for coordinating interactions between a centralized TMV source and target computer systems within a domain. The '560 application also describes a self-healing threat management messaging network.
U.S. patent application Ser. No. 10/890,798 to McKenna (hereinafter “the '798 application”) describes multiple classes of countermeasures, namely, intrusion detection countermeasures (IDCs), intrusion response countermeasures (IRCs), and vulnerability remediation countermeasures (VRCs), within the countermeasures vector of a TMV. The '798 application also describes methods for the use of such countermeasures classes to discover and repair security intrusions that exist before vulnerability remediation countermeasures are applied. Thus, the methods and systems of the '344 application, the '158 application, and the '560 application could be applied to a computer system with an already-exploited security vulnerability.
While the applications above describe methods to automatically detect, respond to, and remediate computer security vulnerabilities, the successful application of such methods within an organization often requires consideration of, and adherence to, one or more security operations policies of the organization. In large or complex organizations, such security operations policies often comprise a policy hierarchy, with an overall policy applicable to all divisions of the organization and lower-level policies applicable to particular divisions of the organization. Typically, the lowest-level policy in such a hierarchy includes a policy applicable to the particular domain with which a computer system is associated.
It is possible that the countermeasures contained within a TMV are incompatible with one or more policies within such a policy hierarchy or that the application of the countermeasures in accordance with one policy will create an inability to comply with another policy within the hierarchy.
Accordingly, there exists a need in the art to overcome the deficiencies and limitations described hereinabove.